Link to home
Start Free TrialLog in
Avatar of Trublu182
Trublu182

asked on

Cisco Router 1811 and iChat

Can't get iChat Video Conferencing to work with a Cisco Router 1811.  I've forwarded the needed ports according to the instructions Apple puts out at http://docs.info.apple.com/article.html?artnum=93208

I've confirmed that iChat video conferencing works on the mac by hooking it up in front of the router with an outside IP address, but once it gets behind the router with an internal address, iChat video conferencing doesn't work.

In troubleshooting, I've disabled both the firewalls going in and out on the exit interface (fastethernet0) and iChat still doesn't work.  I think I have all the right ports forwarded.  Just at a loss as to what to do now.

Here's my config if it helps.

Thanks in advance!


Building configuration...

Current configuration : 11734 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
 server 10.5.80.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication ppp login local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.80.1 10.5.80.99
ip dhcp excluded-address 10.5.80.141 10.5.80.254
ip dhcp excluded-address 10.5.81.1 10.5.81.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.5.80.0 255.255.254.0
   dns-server 4.2.2.2
   default-router 10.5.80.1
!
ip dhcp pool mac1
   host 10.5.80.99 255.255.254.0
   client-identifier 0100.1451.1a0d.1a
   client-name mac1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC appleqtc
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-3729953927
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3729953927
 revocation-check none
 rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373239 39353339 3237301E 170D3036 30383234 32303131
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323939
  35333932 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE2D D55C684A 6D041CD0 59E1EBA6 C29A21C3 A885838C 43D99AC5 983F778B
  2A0982FA 02E75FBC B69E49F1 54245B97 749D0DA0 73F7C21F CCE68A0A D8ECAF11
  81C6C187 33CD1462 7BE57DC6 8C0FF668 A19237C0 5016BEFB FE27536B DB48F683
  269EB1A8 33DA5E7A 810F6B51 1FC421FB 2CA0CA9E D3994CE9 6D0428B8 021BE899
  65250203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 144E2CFF 95E6A397 3D62F8DB 1F2E873E 261AB33E
  CC301D06 03551D0E 04160414 4E2CFF95 E6A3973D 62F8DB1F 2E873E26 1AB33ECC
  300D0609 2A864886 F70D0101 04050003 818100B1 B60F6400 690F01D2 F5A8F9BC
  2C33BB8D 80DBBE2A 9F8AB4CF 98F31322 8E9E9F6B 5B2BD92D 995FFD67 206D5125
  DD22E286 24F83CB6 27E6A163 B9AA84BB 53327FE3 D81F7E78 D12DC3DB F57A7BC5
  CCCD02D8 E79F0927 DBC0BB9C ACCFDA87 ABA333F9 5E2D73C0 1E865390 C89D04E9
  801EA77F 184625D7 33952058 90BAAA75 4EF297
  quit
username 580Schmitz privilege 15 secret 5 XXX
username vpntest privilege 0 password 7 XXX
!
!
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 128.95.X.X 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.2.49 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 spanning-tree portfast
!
interface FastEthernet5
 spanning-tree portfast
!
interface FastEthernet6
 spanning-tree portfast
!
interface FastEthernet7
 spanning-tree portfast
!
interface FastEthernet8
 spanning-tree portfast
!
interface FastEthernet9
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1
 description $FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 ip route-cache flow
 ip mroute-cache
 peer default ip address pool pptp
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 10.5.80.1 255.255.254.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool pptp 10.5.81.10 10.5.81.50
ip route 0.0.0.0 0.0.0.0 128.95.X.X
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
ip nat inside source static tcp 10.5.80.99 5190 128.95.X.X 5190 extendable
ip nat inside source static tcp 10.5.80.99 5220 128.95.X.X 5220 extendable
ip nat inside source static tcp 10.5.80.99 5222 128.95.X.X 5222 extendable
ip nat inside source static tcp 10.5.80.99 5298 128.95.X.X 5298 extendable
ip nat inside source static udp 10.5.80.99 5060 128.95.X.X 5060 extendable
ip nat inside source static udp 10.5.80.99 5190 128.95.X.X 5190 extendable
ip nat inside source static udp 10.5.80.99 5297 128.95.X.X 5297 extendable
ip nat inside source static udp 10.5.80.99 5298 128.95.X.X 5298 extendable
ip nat inside source static udp 10.5.80.99 5678 128.95.X.X 5678 extendable
ip nat inside source static udp 10.5.80.99 16384 128.95.X.X 16384 extendable
ip nat inside source static udp 10.5.80.99 16385 128.95.X.X 16385 extendable
ip nat inside source static udp 10.5.80.99 16386 128.95.X.X 16386 extendable
ip nat inside source static udp 10.5.80.99 16387 128.95.X.X 16387 extendable
ip nat inside source static udp 10.5.80.99 16388 128.95.X.X 16388 extendable
ip nat inside source static udp 10.5.80.99 16389 128.95.X.X 16389 extendable
ip nat inside source static udp 10.5.80.99 16390 128.95.X.X 16390 extendable
ip nat inside source static udp 10.5.80.99 16391 128.95.X.X 16391 extendable
ip nat inside source static udp 10.5.80.99 16392 128.95.X.X 16392 extendable
ip nat inside source static udp 10.5.80.99 16393 128.95.X.X 16393 extendable
ip nat inside source static udp 10.5.80.99 16394 128.95.X.X 16394 extendable
ip nat inside source static udp 10.5.80.99 16395 128.95.X.X 16395 extendable
ip nat inside source static udp 10.5.80.99 16396 128.95.X.X 16396 extendable
ip nat inside source static udp 10.5.80.99 16397 128.95.X.X 16397 extendable
ip nat inside source static udp 10.5.80.99 16398 128.95.X.X 16398 extendable
ip nat inside source static udp 10.5.80.99 16399 128.95.X.X 16399 extendable
ip nat inside source static udp 10.5.80.99 16400 128.95.X.X 16400 extendable
ip nat inside source static udp 10.5.80.99 16401 128.95.X.X 16401 extendable
ip nat inside source static udp 10.5.80.99 16402 128.95.X.X 16402 extendable
ip nat inside source static udp 10.5.80.99 16403 128.95.X.X 16403 extendable
ip nat inside source static tcp 10.5.80.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 10.5.80.99 21 192.168.2.49 21 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.5.80.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.5.80.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 102 permit tcp any host 128.95.X.X eq 1723
access-list 102 permit gre any host 128.95.X.X
access-list 102 permit tcp any host 128.95.X.X eq 5190
access-list 102 permit tcp any host 128.95.X.X eq 5220
access-list 102 permit tcp any host 128.95.X.X eq 5222
access-list 102 permit tcp any host 128.95.X.X eq 5298
access-list 102 permit udp any host 128.95.X.X eq 5060
access-list 102 permit udp any host 128.95.X.X eq 5190
access-list 102 permit udp any host 128.95.X.X eq 5297
access-list 102 permit udp any host 128.95.X.X eq 5298
access-list 102 permit udp any host 128.95.X.X eq 5678
access-list 102 permit udp any host 128.95.X.X range 16384 16403
access-list 102 deny   ip any any log
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp-data
access-list 103 deny   ip any any log
access-list 120 permit ip 10.5.80.0 0.0.1.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
 match ip address 120
 match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
 match ip address 120
 match interface FastEthernet0
!
!
!
radius-server local
  nas 10.5.80.1 key 7 XXX
  group VPN_Users
  !
  user 0014bfd84f23 nthash 7 06242B071D1B2D382340415C5D217C7C017A116776435F325227777B0D010D5A5A mac-auth-only
  user 0012f0ae1286 nthash 7 075C026E172A415D3346532D527D73057D626777302130265072010007052F2749 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.5.80.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCC Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 password 7 XXX
 transport input telnet ssh
line vty 5 193
 access-class 100 in
 password 7 XXX
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Avatar of pjtemplin
pjtemplin

Repeat your NAT translations for TCP/UDP.  Both are used.

<rant>I absolutely HATE when people quote port numbers without the protocol before it.  I'm furious to see a company like Apple being so ambiguous in their documentation.</rant>

OK, I feel better now.  :)
Avatar of Les Moore
>ip route 0.0.0.0 0.0.0.0 128.95.X.X
>ip route 0.0.0.0 0.0.0.0 192.168.2.1

You have two equal cost routes which will cause per-packet load sharing. I'm not sure you want your Chat program to do that... Try your existing config with just one default route and see if that makes a difference..
No, you have two equal cost routes to IP addresses.  It will cause per-DESTINATION (not per-PACKET) load sharing.
>ip cef
Ah, yes. PJ is correct. With CEF enabled, the default load-sharing is per-destination
Without CEF enabled, per-packet is the default.
Avatar of Trublu182

ASKER

>Repeat your NAT translations for TCP/UDP.  Both are used.

My apologies, I'm not clear on this last instruction.  You mean open up the ports for both UDP and TCP?  I thought I did that with

ip nat inside source static tcp 10.5.80.99 5190 128.95.X.X 5190 extendable

and

ip nat inside source static udp 10.5.80.99 5190 128.95.X.X 5190 extendable

Are they not suppose to be on separate lines?  Or did you mean open up every port for both UDP/TCP?  If possible could you supply an example?

Pjtemplin, Lrmoore, many thanks for your time with this.  Though it's a holiday weekend!  Make sure to focus on vacation first and then work :)
All right, I've verified and reverified that I have the correct TCP and UDP ports from Apple.  I've even tried disabling both my outgoing and incoming firewalls on my FastEthernet0 interface (I only have one exit interface plugged in for now), and still no go.

Is there something I'm missing?
Sigh...

Ok, does ANYONE have a Cisco router that works with iChat?  If so, can you please post your config so I can compare and see why I can't get my router to allow iChat.

Many thanks in advance.
Found the solution!

Not sure if I can explain this right, but Cisco is supposedly a big nut when it comes to internet telephony.  Internet telephony runs on the SIP protocol, the same protocol that Apple's iChat uses for video conferences.  iChat would never work because the SIP protocol it needed to function was being grabbed so to speak by the Cisco router for use for internet telephony only.  Thus, the magic command you need to put in your config to stop the cisco router from being a pain and allowing iChat to function is this

no ip nat service sip udp port 5060

Below is a sample of my config for my Cisco Router 1811 so people can use it as an example.


Building configuration...

Current configuration : 11803 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
 server 10.5.80.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication ppp login local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.80.1 10.5.80.99
ip dhcp excluded-address 10.5.80.141 10.5.80.254
ip dhcp excluded-address 10.5.81.1 10.5.81.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.5.80.0 255.255.254.0
   dns-server 4.2.2.2
   default-router 10.5.80.1
!
ip dhcp pool mac1
   host 10.5.80.99 255.255.254.0
   client-identifier 0100.1451.1a0d.1a
   client-name mac1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC sip-tls
ip inspect name CBAC appleqtc
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-3729953927
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3729953927
 revocation-check none
 rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373239 39353339 3237301E 170D3036 30383234 32303131
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323939
  35333932 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE2D D55C684A 6D041CD0 59E1EBA6 C29A21C3 A885838C 43D99AC5 983F778B
  2A0982FA 02E75FBC B69E49F1 54245B97 749D0DA0 73F7C21F CCE68A0A D8ECAF11
  81C6C187 33CD1462 7BE57DC6 8C0FF668 A19237C0 5016BEFB FE27536B DB48F683
  269EB1A8 33DA5E7A 810F6B51 1FC421FB 2CA0CA9E D3994CE9 6D0428B8 021BE899
  65250203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 144E2CFF 95E6A397 3D62F8DB 1F2E873E 261AB33E
  CC301D06 03551D0E 04160414 4E2CFF95 E6A3973D 62F8DB1F 2E873E26 1AB33ECC
  300D0609 2A864886 F70D0101 04050003 818100B1 B60F6400 690F01D2 F5A8F9BC
  2C33BB8D 80DBBE2A 9F8AB4CF 98F31322 8E9E9F6B 5B2BD92D 995FFD67 206D5125
  DD22E286 24F83CB6 27E6A163 B9AA84BB 53327FE3 D81F7E78 D12DC3DB F57A7BC5
  CCCD02D8 E79F0927 DBC0BB9C ACCFDA87 ABA333F9 5E2D73C0 1E865390 C89D04E9
  801EA77F 184625D7 33952058 90BAAA75 4EF297
  quit
username XXX privilege 15 secret 5 XXX
username XXX privilege 0 password 7 XXX
!
!
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 128.X.X.X 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.2.49 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 spanning-tree portfast
!
interface FastEthernet5
 spanning-tree portfast
!
interface FastEthernet6
 spanning-tree portfast
!
interface FastEthernet7
 spanning-tree portfast
!
interface FastEthernet8
 spanning-tree portfast
!
interface FastEthernet9
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1
 description $FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 ip route-cache flow
 ip mroute-cache
 peer default ip address pool pptp
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 10.5.80.1 255.255.254.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool pptp 10.5.81.10 10.5.81.50
ip route 0.0.0.0 0.0.0.0 128.X.X.X
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip udp port 5060
ip nat inside source static tcp 10.5.80.99 21 interface FastEthernet1 21
ip nat inside source static tcp 10.5.80.99 20 interface FastEthernet1 20
ip nat inside source static udp 10.5.80.99 16403 interface FastEthernet0 16403
ip nat inside source static udp 10.5.80.99 16402 interface FastEthernet0 16402
ip nat inside source static udp 10.5.80.99 16401 interface FastEthernet0 16401
ip nat inside source static udp 10.5.80.99 16400 interface FastEthernet0 16400
ip nat inside source static udp 10.5.80.99 16399 interface FastEthernet0 16399
ip nat inside source static udp 10.5.80.99 16398 interface FastEthernet0 16398
ip nat inside source static udp 10.5.80.99 16397 interface FastEthernet0 16397
ip nat inside source static udp 10.5.80.99 16396 interface FastEthernet0 16396
ip nat inside source static udp 10.5.80.99 16395 interface FastEthernet0 16395
ip nat inside source static udp 10.5.80.99 16394 interface FastEthernet0 16394
ip nat inside source static udp 10.5.80.99 16393 interface FastEthernet0 16393
ip nat inside source static udp 10.5.80.99 16392 interface FastEthernet0 16392
ip nat inside source static udp 10.5.80.99 16391 interface FastEthernet0 16391
ip nat inside source static udp 10.5.80.99 16390 interface FastEthernet0 16390
ip nat inside source static udp 10.5.80.99 16389 interface FastEthernet0 16389
ip nat inside source static udp 10.5.80.99 16388 interface FastEthernet0 16388
ip nat inside source static udp 10.5.80.99 16387 interface FastEthernet0 16387
ip nat inside source static udp 10.5.80.99 16386 interface FastEthernet0 16386
ip nat inside source static udp 10.5.80.99 16385 interface FastEthernet0 16385
ip nat inside source static udp 10.5.80.99 16384 interface FastEthernet0 16384
ip nat inside source static udp 10.5.80.99 5060 interface FastEthernet0 5060
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.5.80.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.5.80.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 102 permit tcp any host 128.X.X.X eq 1723
access-list 102 permit gre any host 128.X.X.X
access-list 102 permit udp any host 128.X.X.X eq 5060
access-list 102 permit udp any host 128.X.X.X range 16384 16403
access-list 102 deny   ip any any log
access-list 103 permit tcp host 10.5.80.99 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 10.5.80.99 host 192.168.2.49 eq ftp-data
access-list 103 deny   ip any any log
access-list 120 permit ip 10.5.80.0 0.0.1.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
 match ip address 120
 match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
 match ip address 120
 match interface FastEthernet0
!
!
!
radius-server local
  nas 10.5.80.1 key 7 XXX
  group VPN_Users
  !
  user 0014bfd84f23 nthash 7 0224207D5A532B006A195A4E5432445C2956087970786B117335263456530F0D01 mac-auth-only
  user 0012f0ae1286 nthash 7 115A3A274E315354207E73057E646D034656445622707F7D0270565B4C47787C06 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.5.80.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCC Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 password 7 XXX
 transport input telnet ssh
line vty 5 193
 access-class 100 in
 password 7 XXX
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

ASKER CERTIFIED SOLUTION
Avatar of pjtemplin
pjtemplin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial